Hey everyone,
I'm working at a school where I've set up RADIUS for Wi-Fi authentication using PEAP, and it's been running smoothly. However, I'm a bit stressed about managing certificates, especially since I'm currently using a self-signed certificate. I have a couple of questions:
First, is there any benefit to switching to a public certificate authority like Let's Encrypt? I know they offer auto-renewal every 90 days, but is there a way to automate the deployment of the new certificates to NPS so I don't have to do it manually every time?
Secondly, when the RADIUS certificate changes, what happens to the clients? Will they get disconnected or have to accept a new certificate? I've seen mixed information on this—some say clients will reconnect without any issues as long as the root CA remains the same, while others suggest reauthentication is needed. How can I minimize user intervention during the renewal process?
Thanks for your help!
3 Answers
PeAP with MS-CHAPv2? That’s partially unsupported on Windows 11 unless you disable Credential Guard. For your NPS cert, if you lack a private CA, a public certificate is decent but just ensure it’s auto-renewed because you really don't want to manage it manually every time. Also, clients will need to accept the new certificate when it changes unless you have a policy set to trust specific root certs. Self-signed certs require user interaction with no way around that.
What if I set up a root CA that doesn’t expire for ages, like 999 years? Would that work well?
For this kind of setup, I'd recommend not using Let’s Encrypt. It’s a perfect scenario for an internal enterprise CA. If you're using Active Directory Certificate Services (ADCS) with automatic enrollment and renewal, you'll pretty much have a hands-off approach to certificate management.
Here's a straightforward plan: First, set up an internal CA (Windows' own is good). Next, deploy the CA certificate across all company devices via GPO, MDM, or Intune. Set up an auto-enrollment certificate template for all your Windows clients. Remember, if the CA cert changes, you’ll need to push the new one out again. Just note that keeping a longer lifetime on your root cert can help avoid constant updates, but don't overdo it!
But functionality-wise, is there any real advantage to a public CA? I've noticed some students with cheaper Android phones ask for domain verification with the CA, since they can't just skip validation. With an internal CA, there's no domain check, right? Just curious if using a public CA would make it easier for them.
Actually, you bring up a good point! If public providers like Let's Encrypt are trusted, that could mean no re-accepting of certificates when they renew.
Got it! So as long as I set up that policy, it should ease the process. Appreciate the info!